BTEC Level 3. Unit 32 Network System Security Password Authentication and Protection. Level 3 Unit 32 Network System Security

Size: px

Start display at page:

Download "BTEC Level 3. Unit 32 Network System Security Password Authentication and Protection. Level 3 Unit 32 Network System Security"

Claud Booth
5 years ago
Views:

1 BTEC Level 3 Unit 32 Network System Security Password Authentication and Protection

2 Passwords Why are they important? Passwords are cheap to deploy, but also act as the first line of defense in a security arsenal. They are also often the weakest link.

3 AAA of Password Security Authentication (& Identification) Establishes that the user is who they say they are (credentials). Authorisation The process used to decide if the authenticated person is allowed to access specific information or functions. Access Control Restriction of access (includes authentication & authorization)

How Passwords Can Be Stored Filing System - Clear text Dedicated Authentication Server - Clear text Encrypted - Password + Encryption = bf4ee8hjaqkbw

4 How Passwords Can Be Stored Filing System - Clear text Dedicated Authentication Server - Clear text Encrypted - Password + Encryption = bf4ee8hjaqkbw Hashed - Password + Hash function = aad3b435b51404eeaad3b435b51404ee Salted Hash - (Username + Salt + Password) + Hash function = ed2cb1f5e be16b12419c012

5 Hashing Usually stored as hashes (not plain text) Plain-text is converted into a message digest through use of a hashing algorithm (i.e. MD5, SHA) blund123 blund123

How Passwords are Stored Windows NT/2k/XP/Vista/7 Uses 2 functions for hashing passwords: LAN Manager hash (LM hash) 1. Password is padded with zeros until there are 14 characters.

Result is combined into a 16-byte, one way hash value NT hash (NT hash) 1.

6 How Passwords are Stored Windows NT/2k/XP/Vista/7 Uses 2 functions for hashing passwords: LAN Manager hash (LM hash) 1. Password is padded with zeros until there are 14 characters. 2. It is then converted to uppercase and split into two 7-character pieces 3. Each half is encrypted using an 8-byte DES (data encryption standard) key 4. Result is combined into a 16-byte, one way hash value NT hash (NT hash) 1. Converts password to Unicode and uses MD4 hash algorithm to obtain a 16-byte value Hashes stored in Security Accounts Manager (SAM) 1. Locked within system kernel when system is running. 2. Location - C:\WINNT\SYSTEM32\CONFIG SYSKEY 1. Utility which moves the encryption key for the SAM database off of the computer

7 How Passwords are Stored UNIX/Linux Systems Password hashes stored in /etc/shadow directory (or similar) 1. Only readable by system administrator (root) Less sensitive information still in /etc/password Added expiration dates for passwords

8 Impact on Security Simple hacking tools are available to anyone who looks for them on the Internet. Tools such as LOphtCrack allow admittance into almost anyone's account if a simple eight-digit password is used. People are frightened when they learn that using only an eight-digit password with standard numbers and letters will allow anyone to figure out their passwords in less than two minutes when one downloads a publicly available tool like LOphtCrack from the Internet. This was the kind of tool which we found (in Al Qaeda s arsenal), nothing terribly sophisticated. - Richard Clark, Presidents Advisor on Cyber Security ( ) *Sometimes hacking tools aren t even necessary*

Threats to Security (1) Disclosure Voluntary disclosure of information Inadequate guarding of system passwords Inference Known pattern to creation of passwords Use

9 Threats to Security (1) Disclosure Voluntary disclosure of information Inadequate guarding of system passwords Inference Known pattern to creation of passwords Use of generated passwords with predictable algorithm Exposure Accidental release of password Loss Forgetting to remember passwords Can lead to creation of easy passwords

Threats to Security (2) Snooping/Eavesdropping Keyloggers Network sniffing (intercepting of network communication where a password is submitted) Guessing Limited amount of choices

10 Threats to Security (2) Snooping/Eavesdropping Keyloggers Network sniffing (intercepting of network communication where a password is submitted) Guessing Limited amount of choices which can be figured out through process of elimination Use of blank/common passwords, passwords which can be figured out by knowing name of relatives, pets, etc. Cracking Automated guessing

11 Why is Cracking Possible Passwords are NOT truly random upper/lowercase letters, 10 digits, and 32 punctuation symbols equals 6 quadrillion possible 8-character passwords 2. People like to use dictionary words, relative and pet names equaling 1 million common passwords 3. On average, each person has 8-12 passwords. 4. Different systems impose different password requirements. 5. Passwords need to be changed often. 6. Some passwords

Types of Password Cracking Dictionary Attack Quick technique that tries every word in a specific dictionary Hybrid Attack Adds numbers or symbols to the end of a word Brute Force Attack Tries all

12 Types of Password Cracking Dictionary Attack Quick technique that tries every word in a specific dictionary Hybrid Attack Adds numbers or symbols to the end of a word Brute Force Attack Tries all combinations of letters, numbers & symbols Popular programs for Windows password cracking LophtCrack (discontinued by Symantec when Cain & Abel (UNIX) John the Ripper (UNIX) Sam Inside

13 Dictionary Attack Attacker can compute password for every word in a dictionary and see if the result is in the password file. With 1,000,000 word dictionary and assuming 10 guesses per second, brute-force online attack takes 50,000 seconds (14 hours) on average

14 Cracking Protection - Salting Salting requires adding a random piece of data and to the password before hashing it. This means that the same string will hash to different values at different times Users with same password have different entries in the password file Salt is stored with the other data as a complete hash Hacker has to get the salt add it to each possible word and then rehash the data prior to comparing with the stored password. blund123 + S41t = S41tblund123 blund123 + S41t = S41tblund123

15 Salting Advantages Without Salt. Attacker can precompute hashes of all dictionary words once for all password entries. Same hash function on all UNIX/Linux machines Identical passwords hash to identical values, so one table of hash values can be used for all passwords on system. With Salt. Attacker must compute hashes of all dictionary words once for each password entry. With 12 bit random salt, same password can hash to 212 different hash values Attacker must try all dictionary words for each salt value in the password file

16 blund123 blund123

Authentication Protocols Password Authentication Protocol (PAP) is a simple authentication protocol in which the user name and password is sent to the remote access server in a plaintext

17 Authentication Protocols Password Authentication Protocol (PAP) is a simple authentication protocol in which the user name and password is sent to the remote access server in a plaintext (unencrypted) form. Using PAP is strongly discouraged because your passwords are easily readable from the Point-to-Point Protocol (PPP) packets exchanged during the authentication process. PAP is typically used only when connecting to older UNIX-based remote access servers that do not support more secure authentication protocols.

18 Authentication Protocols Challenge Handshake Authentication Protocol (CHAP) is a widely supported authentication method in which a representation of the user's password, rather than the password itself, is sent during the authentication process. With CHAP, the remote access server sends a challenge to the remote access client. The remote access client uses a hash algorithm (also known as a hash function) to compute a Message Digest-5 (MD5) hash result based on the challenge and a hash result computed from the user's password. The remote access client sends the MD5 hash result to the remote access server. The remote access server, which also has access to the hash result of the user's password, performs the same calculation using the hash algorithm and compares the result to the one sent by the client. If the results match, the credentials of the remote access client are considered authentic. A hash algorithm provides one-way encryption, which means that calculating the hash result for a data block is easy, but determining the original data block from the hash result is mathematically infeasible.

19 Authentication Protocols Microsoft created MS-CHAP to authenticate remote Windows-based workstations, integrating the functionality to which LAN-based users are accustomed with the hashing algorithms used on Windows networks. Like CHAP, MS-CHAP uses a challenge-response mechanism to authenticate connections without sending any passwords. MS-CHAP uses the Message Digest 4 (MD4) hashing algorithm and the Data Encryption Standard (DES) encryption algorithm to generate the challenge and the response. MS-CHAP also provides mechanisms for reporting connection errors and for changing the user's password. The response packet is in a format designed to work with networking products in Windows 95, Windows 98, Windows Millennium Edition, Windows NT, Windows 2000, Windows XP, and the Windows Server 2003/2008/2012 family.

20 Ten Common Mistakes 1. Leaving passwords blank or unchanged from default value. 2. Using the letters p-a-s-s-w-o-r-d as the password. 3. Using a favorite star or football team name as the password. 4. Using a partners name as the password. 5. Using the same password for everything. 6. Writing passwords on post-it notes. 7. Pasting a list of passwords under the keyboard. 8. Storing all passwords in an Excel spreadsheet in a smartphone. 9. Writing all passwords in a personal diary/notebook. 10. Giving the password to someone who claims to be the system administrator.

21 Ten Most Common Passwords Ranking Password MD5 Length 1 password 5f4dcc3b5aa765d61d8327deb882cf e10adc3949ba59abbe56e057f20f883e d55ad283aa400af464c76d713c07ad dc9bdb52d04dc20036dbd8313ed qwerty d8578edf8458ce06fbc5bb76a58c5ca ccb0eea8a706c4c34a16891f84e7b 5 7 dragon 8621ffdbc d97767ac13db3 6 8 letmein 0d107d09f5bbe40cade3de5c71e9e9b7 7 9 football 37b4e2d82900d5e94b8da524fbeb33c abc123 e99a18c428cb38d5f e03 6

22 How secure is your password

Information Security in Systems and Networks

Information Security in Systems and Networks November 30, 2006 Damira Pon University at Albany, SUNY 1 Password Protection 2 Passwords Everywhere the Eye can See 3 Passwords Basic Problem How do you prove